- From: <bugzilla@jessica.w3.org>
- Date: Tue, 26 Jul 2011 19:18:05 +0000
- To: public-webapps@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=13373
Summary: Privacy: Limit SharedWorker connections to same
top-level domain
Product: WebAppsWG
Version: unspecified
Platform: PC
OS/Version: Windows NT
Status: NEW
Severity: normal
Priority: P2
Component: Web Workers (editor: Ian Hickson)
AssignedTo: ian@hixie.ch
ReportedBy: travil@microsoft.com
QAContact: member-webapi-cvs@w3.org
CC: mike@w3.org, public-webapps@w3.org
Per privacy discussion [1], Shared Workers should have a privacy clause
allowing UA's to prevent SharedWorkers from connecting when they detect that a
user's privacy could be at risk.
It is recommended that in addition to the existing checks (steps 7.5, 7.6,
7.7.1) for making a connection to a SharedWorker [2], another check should be
added that compares the top-level domain of the candiate shared worker global
scope's owning document(s) to the top-level document of the script that invoked
the constructor. If they are the same, then the connection is allowed to
proceed; otherwise, a new SharedWorkerGlobalScope should be created.
This addition privacy clause would allow connections for iframes of the same
domain within a top-level document:
Top Level Window - http://a.com
Iframe_one - http://b.com
iframe_two - http://b.com
Iframe_one and iframe_two would be allowed to connect... but would disallow
connections for a different top-level document:
Top Level Window - http://c.com
iframe_three - http://b.com
iframe_three would get a unique shared worker, separate from the one shared by
iframe_one & iframe_two.
[1] http://lists.w3.org/Archives/Public/public-webapps/2011AprJun/0293.html
[2] http://dev.w3.org/html5/workers/#sharedworker
--
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
Received on Tuesday, 26 July 2011 19:18:10 UTC